Navigation section
event correlation
About this tag
Event correlation on Windows systems involves linking related security audit events to reconstruct a complete activity timeline. A common challenge is connecting Event ID 4660 (object deletion) with Event ID 4663 (access attempt) to identify which file or folder was deleted and by whom. Since ID 4660 lacks file or folder names, correlation relies on shared fields such as Handle ID, Process ID, or Object Server. By matching these fields across events, administrators can determine that a specific user deleted a named file, enabling accurate forensic analysis and accountability tracking in enterprise environments.
-
H
Windows 10 What fields are common between IDs 4660 and 4663?
Hello, I want to know which file or folder was deleted by whom. The problem is that there is no file or folder name in ID 4660 and I need to extract the file or folder name from ID 4663, but how do I link these together? How do I know which ID 4660 is related to which ID 4663? What field is...- hack3rcon
- Thread
- audit logs data recovery error resolution event correlation event id file deletion file management file monitoring file system folder deletion folder tracking id 4660 id 4663 james jason security audits user activity windows logs windows security
- Replies: 3
- Forum: Windows Help and Support